GitHub Actions
Use skret in GitHub Actions with OIDC for secure, credential-free access to AWS SSM.
OIDC Setup
Section titled “OIDC Setup”1. Create the IAM OIDC Provider
Section titled “1. Create the IAM OIDC Provider”Run once per AWS account:
aws iam create-open-id-connect-provider \ --url https://token.actions.githubusercontent.com \ --client-id-list sts.amazonaws.com \ --thumbprint-list 6938fd4d98bab03faadb97b34396831e3780aea12. Create the IAM Role
Section titled “2. Create the IAM Role”Create a trust policy that limits access to your repository:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { "token.actions.githubusercontent.com:sub": "repo:your-org/your-repo:*" } } } ]}aws iam create-role \ --role-name skret-github-actions \ --assume-role-policy-document file://trust-policy.json3. Attach SSM Read Policy
Section titled “3. Attach SSM Read Policy”{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/myapp/*" }, { "Effect": "Allow", "Action": ["kms:Decrypt"], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "ssm.us-east-1.amazonaws.com" } } } ]}aws iam put-role-policy \ --role-name skret-github-actions \ --policy-name ssm-read \ --policy-document file://ssm-policy.jsonWorkflow Examples
Section titled “Workflow Examples”Basic: Run tests with secrets
Section titled “Basic: Run tests with secrets”name: CIon: [push, pull_request]
permissions: id-token: write contents: read
jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6
- name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::123456789012:role/skret-github-actions aws-region: us-east-1
- name: Install skret run: | curl -fsSL https://github.com/n24q02m/skret/releases/latest/download/skret_linux_amd64.tar.gz | tar xz sudo mv skret /usr/local/bin/
- name: Run tests with secrets run: skret run -- go test ./...Sync secrets to GitHub Actions
Section titled “Sync secrets to GitHub Actions”Push secrets from AWS SSM to GitHub Actions repository secrets:
name: Sync Secretson: workflow_dispatch: schedule: - cron: '0 6 * * 1' # Weekly Monday 6am
permissions: id-token: write contents: read
jobs: sync: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6
- name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::123456789012:role/skret-github-actions aws-region: us-east-1
- name: Install skret run: | curl -fsSL https://github.com/n24q02m/skret/releases/latest/download/skret_linux_amd64.tar.gz | tar xz sudo mv skret /usr/local/bin/
- name: Sync to GitHub Actions env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | skret sync --to=github \ --github-repo=${{ github.repository }} \ --from-env=prodMulti-repo sync
Section titled “Multi-repo sync” - name: Sync to multiple repos env: GITHUB_TOKEN: ${{ secrets.GH_PAT }} # PAT with repo scope run: | skret sync --to=github \ --github-repo=your-org/app-frontend,your-org/app-backend \ --from-env=prodSecurity Considerations
Section titled “Security Considerations”- Restrict the trust policy to specific branches if needed:
repo:org/repo:ref:refs/heads/main - Use least-privilege IAM — read-only for CI, read-write only for sync jobs
- The
id-token: writepermission is required for OIDC. Without it, theconfigure-aws-credentialsaction cannot request a token. - OIDC tokens are short-lived (valid for the duration of the workflow run)